Rodolf Virus


 Virus Name:  Rodolf 
 Aliases:     Rodolf.4096, Rodolf.4096.A 
 V Status:    New 
 Discovery:   July, 1995 
 Symptoms:    .COM & .EXE growth; message displayed; system hangs; 
              decrease in total system & available free memory 
 Origin:      Unknown 
 Eff Length:  4,096 Bytes 
 Type Code:   PRtAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method: F-Prot, AVTK, VAlert, ViruScan, Sweep, IBMAV, 
                   NAV, NAVDX, ChAV, 
                   NShld, Sweep/N, NAV/N, AVTK/N, IBMAV/N, NProt, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Rodolf virus was received in July, 1995.  Its origin or point 
       of isolation is unknown.  Rodolf is a memory resident infector of 
       .COM and .EXE files, including COMMAND.COM. 
 
       When the first Rodolf infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, moving interrupt 12's return.  Total system 
       and available free memory, as indicated by the DOS CHKDSK program 
       from DOS 5.0, will have decreased by 4,096 bytes.  Interrupt 21 is 
       hooked by the virus in memory. 
 
       Once the Rodolf virus is memory resident, it will infect .COM and 
       .EXE programs, including COMMAND.COM, when they are executed.  If 
       the program was previously infected by the virus, it will be 
       reinfected at this time.  Programs infected with the Rodolf virus 
       will have a file length increase of 4,096 bytes for each infection 
       of the virus present on the file.  The virus will be located at the 
       end of the file.  The program's date and time in the DOS disk 
       directory listing will not be altered.  The following text strings 
       are visible within the viral code: 
 
           "Rodolf virus Version 1.0" 
           "Hi hi ! I'm killing you !" 
           "ED" 
 
       The last text string above will be the last two bytes in any 
       infected file. 
 
       Occassionally, the Rodolf virus will display the second text string 
       above as a message in flashing yellow text with a blue background on 
       the system monitor when a program is executed.  A system hang will 
       also occur at this time. 
 
       Known variant(s) of Rodolf are: 
       Rodolf.4096.B: Received in January, 1996, this is a 4,096 byte 
           variant which is functionally very similar to the Rodolf virus 
           described above.  It contains the following unencrypted text 
           strings: 
           "Manu virus Version 1.0" 
           "CORCH.EXE RM.COM" 
           "Parity error 0000:F243" 
           "stack.stack.stack.stack.stack.stack" 
           The repeated text string "stack." occurrs many more times than 
           is indicated above.  Like the original virus, this variant also 
           reinfects previously infected files. 
           Origin: Unknown  January, 1996. 

Show viruses from discovered during that infect .

Main Page